git.stella-ops.org/docs/features/unchecked/cli/cli-scan-command-consolidation.md

# CLI Scan Command Consolidation

## Module
Cli

## Status
IMPLEMENTED

## Description
Unified `stella scan` command hub with run/download/workers/graph/secrets/image subcommands, consolidating previously separate scanning commands.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/Scan/` -- consolidated scan command directory
- **Scan Graph**: `src/Cli/StellaOps.Cli/Commands/ScanGraphCommandGroup.cs` -- scan graph commands
- **Scanner Executor**: `src/Cli/StellaOps.Cli/Services/ScannerExecutor.cs` / `IScannerExecutor.cs` -- scanner execution service
- **Scanner Installer**: `src/Cli/StellaOps.Cli/Services/ScannerInstaller.cs` / `IScannerInstaller.cs` -- scanner installation
- **Commands**:
  - `stella scan run <image>` -- run a vulnerability scan. Options: `--policy <file>`, `--format json|table|sarif`, `--sbom-format cdx|spdx`
  - `stella scan download` -- download scanner binaries
  - `stella scan workers` -- manage scanner workers
  - `stella scan graph` -- scan graph operations
  - `stella scan secrets <path>` -- secrets scanning
  - `stella scan image <image>` -- image-specific scanning
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/GoldenOutput/ScanCommandGoldenTests.cs`, `ScanCommandGoldenOutputTests.cs`, `ScannerDownloadVerifyTests.cs`, `ScannerWorkersCommandTests.cs`

## E2E Test Plan
- [ ] Run `stella scan run myregistry/app:v1.0` and verify scan execution with results
- [ ] Run `stella scan run --format sarif --output ./results.sarif` and verify SARIF output
- [ ] Run `stella scan download` and verify scanner binary download
- [ ] Run `stella scan workers list` and verify worker status
- [ ] Run `stella scan secrets ./src` and verify secrets scanning
- [ ] Run `stella scan image myregistry/app:v1.0` and verify image scanning
- [ ] Verify golden output tests pass for scan commands
- [ ] Verify exit codes: 0=clean, 1=vulnerabilities found, 2=error